lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 06 Feb 2014 15:01:31 +0100
From:	Nicolas Dichtel <nicolas.dichtel@...nd.com>
To:	François-Xavier Le Bail <fx.lebail@...oo.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:	David Stevens <dlstevens@...ibm.com>,
	Bill Fink <billfink@...dspring.com>,
	Hannes Frederic Sowa <hannes@...essinduktion.org>,
	"David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	James Morris <jmorris@...ei.org>,
	Hideaki Yoshifuji <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH net-next v2] ipv6: enable anycast addresses as source
 addresses in ICMPv6 error messages

Le 06/02/2014 13:38, François-Xavier Le Bail a écrit :
>> From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>
>
>> Subject: Re: [PATCH net-next v2] ipv6: enable anycast addresses as source addresses in ICMPv6 error messages
>>
>> Le 19/01/2014 17:00, Francois-Xavier Le Bail a écrit :
>>
>>>   - Uses ipv6_anycast_destination() in icmp6_send().
>>>
>>>   Suggested-by: Bill Fink <billfink@...dspring.com>
>>>   Signed-off-by: Francois-Xavier Le Bail <fx.lebail@...oo.com>
>> This patch causes an Oops on my target.
>
> What is your target ?
x86 32bits

>
>> Here is the step to reproduce it:
>> modprobe sit
>> ip link add sit1 type sit remote 10.16.0.121 local 10.16.0.249
>> ip l s sit1 up
>> ip -6 a a dev sit1 2001:1234::123 remote 2001:1234::121
>> ping6 2001:1234::121
>
> I cannot reproduce this in my target (updated net-next x86_64) and
> iproute2 from git.
I use linus tree (3.14-rc1+).

> Can you send me your config file ?
See attachment.

>
>> The problem is that ipv6_anycast_destination() uses unconditionally
>> skb_dst(skb), which is NULL in this case.
>>
>> Not sure what is the best way to fix this, any suggestions?
>
> I will try to reproduce first and see.
Note that the peer was not set up, hence the ping didn't work.
ipip6_err() calls ipip6_err_gen_icmpv6_unreach() which will drop the dst
before calling icmpv6_send().


Here is the backtrace:
[  387.786155] BUG: unable to handle kernel NULL pointer dereference at 00000096
[  387.787291] IP: [<c12f1568>] icmp6_send+0x79/0x596
[  387.788147] *pdpt = 0000000000000000 *pde = f000ff53f000ff53
[  387.789343] Oops: 0000 [#1] SMP
[  387.790002] Modules linked in: sit ip_tunnel rfcomm bnep bluetooth ppdev lp 
6lowpan_iphc rfkill crc16 cpufreq_userspace cpufreq_conservative cpufreq_stats 
cpufreq_powersave xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4 
binfmt_misc deflate ctr twofish_generic twofish_i586 twofish_common 
camellia_generic serpent_generic blowfish_generic blowfish_common cast5_generic 
cast_common des_generic cbc xcbc rmd160 sha512_generic sha256_generic hmac 
crypto_null af_key xfrm_algo fuse nfsv3 nfsv4 nfsd auth_rpcgss oid_registry 
nfs_acl nfs lockd fscache sunrpc 8021q garp stp llc sctp loop sg sr_mod cdrom 
8139too psmouse i2c_piix4 8139cp pcspkr processor parport_pc parport evdev 
microcode floppy button mii serio_raw i2c_core thermal_sys ext3 mbcache jbd 
sd_mod crc_t10dif crct10dif_common ata_generic ata_piix libata scsi_mod
[  387.790055] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 3.14.0-rc1+ #67
[  387.790055] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[  387.790055] task: f286b010 ti: f29a6000 task.ti: f2892000
[  387.790055] EIP: 0060:[<c12f1568>] EFLAGS: 00210246 CPU: 5
[  387.790055] EIP is at icmp6_send+0x79/0x596
[  387.790055] EAX: 00000000 EBX: f752a2c0 ECX: f1925800 EDX: 00000000
[  387.790055] ESI: 000e0001 EDI: 00000000 EBP: f1bfbf96 ESP: f29a7e04
[  387.790055]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  387.790055] CR0: 8005003b CR2: 00000096 CR3: 01537000 CR4: 000006f0
[  387.790055] Stack:
[  387.790055]  f1bfbf7e 00000000 f29a7e2c c14a6f40 030116f2 f29a7e1c c12e59b3 
f21602c0
[  387.790055]  f747b240 00000001 c14a6f40 f1bfbf96 f29a7e64 c12e4ff6 c12e59b3 
00000000
[  387.790055]  00000000 00000000 00000000 00000000 34120120 00000000 00000000 
23010000
[  387.790055] Call Trace:
[  387.790055]  [<c12e59b3>] ? rt6_multipath_select+0xa7/0xa7
[  387.790055]  [<c12e4ff6>] ? rt6_lookup+0x60/0x89
[  387.790055]  [<c12e59b3>] ? rt6_multipath_select+0xa7/0xa7
[  387.790055]  [<c12f14ef>] ? icmpv6_push_pending_frames+0xc6/0xc6
[  387.790055]  [<c130314e>] ? icmpv6_send+0x17/0x1a
[  387.790055]  [<f850a85d>] ? ipip6_err+0x1bb/0x213 [sit]
[  387.790055]  [<f85ce03b>] ? tunnel64_err+0x16/0x25 [tunnel4]

View attachment "config.oops" of type "text/plain" (102962 bytes)

Powered by blists - more mailing lists